Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Group Policy

Posted on 2011-02-13
8
Medium Priority
?
322 Views
Last Modified: 2012-05-11
I want to check Group Policy to see where in the registry on the client's PCs this is being deployed. Can I check this in the Sysvol folder where the GPO settings are stored?

I am familiar with GPresult and RSoP, but I want to know can this be done from the Sysvol Folder.
0
Comment
Question by:JBond2010
  • 4
  • 3
8 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34883409
Check this MS article about "How to check GPO's GUID" and the look for this string using F3 in registry

http://support.microsoft.com/kb/216359

Regards,
Krzysztof
0
 
LVL 15

Author Comment

by:JBond2010
ID: 34883509
Thanks Krzysztof but its not really what I'm looking for. Let me try to explain more clearly. If I create a new GPO, say for example restricting users from using usb keys so they can't transfer information. I know that the new GPO will have a GUID and that will be in Active Directory Container folder for GPOs.

Say for example I want to disable the GPO on a 1 client's PC, I can do this by editing the registry of the GPO on client,s machine.

From the Sysvol is there a way of checking the GPO to see where the GPO will target the registry on the client's PCs.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34883713
No, since some GPOs don't edit registry. What the best way to stop gpo from applying to Windows Users or Computers is to use GPO Security Filtering

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

So, basically you can't find out from SYSVOL exactly where in the registry that a GPO will be applied.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34884168
Yup, Darius is right. The only one way for that is Group Policy Security Filtering. Most of the GPO settings are not stored in the registry. Only settings from "Administrative Templates" modify clint's registry (and they could be located in appropriate hives).

Krzysztof
0
 
LVL 15

Author Comment

by:JBond2010
ID: 34886569
What I want is to manually disable the GPO from a Client's PC so I don't have to do this in the Group Policy Filtering. I have done this before by editing the registry temporarily so a certain could use a USB key.

With registry based GPOs, I thought there was a way you could check the settings of the GPO to see where the GPO targets the registry. I was sure you could do this from the Sysvol folder.
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 2000 total points
ID: 34886724
It is possible but it's a little tricky :)

Open GPMC and edit that particular GPO. Select Administrative Templates and click on it right mouse button, choose "Add/Remove Templates". You should see window with Administrative Templates (*.adm files)

By default in each GPO you will find:

- conf
- inetres (Internet Explorer settings)
- system (System settings)
- wmplayer (Windows Media Playes)
- wuau (if WSUS is present)

and additional if you added them there.

Notice policy name under GPO you want to find and write it down. Now, locate this GPO's GUID and go to SYSVOL folder to ADM folder. Edit particular ADM file in notepad and search for written policy name.

In Windows default templates, Microsoft used variables, so when you find that string on the left is its variable name. Look this variable in template (POLICY section) and locate KEYNAME and VALUE sections. KEYNAME is a registry hive and VALUE is value in particular registry key. In custom ADM files probably you have no variables, so you can identify KEYNAME and VALUE from direct POLICY section.

If you have more questions let me know. I would try to prepare guide for you :]

Krzysztof

0
 
LVL 15

Author Comment

by:JBond2010
ID: 34919788
Thank you for you help Krzysztof.


0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34920674
You're welcome :)
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question